ScreenShot
| Created | 2023.04.20 07:47 | Machine | s1_win7_x6401 |
| Filename | main.exe | ||
| Type | PE32+ executable (GUI) x86-64 (stripped to external PDB), for MS Windows | ||
| AI Score |
|
Behavior Score |
|
| ZERO API | file : clean | ||
| VT API (file) | 24 detected (Alien, unsafe, malicious, confidence, Attribute, HighConfidence, high confidence, a variant of Generik, MIBXHGM, score, Redcap, cqbyk, Artemis, CLOUD, ReverseShell) | ||
| md5 | 45262284e62e33737f9305bd48c92a87 | ||
| sha256 | b3b40ffaa8d5d3e628f6603743429c0df93d5ba97ee56220d0c8be4206993cc1 | ||
| ssdeep | 12288:CoSAgdlpzkngwD6yEONzfThCvEoliAP2YlSUybmWHlkYOuWGtERK7bmlL64e+:A1dlpzkn9uVONzfovEoliA8BWGtER56 | ||
| imphash | 7b27c4996f30fbd5f51e4abfad8b5c8e | ||
| impfuzzy | 48:nr+M39lmLeFeo2R4p9bnXiX1PnvFslJJG3YCi61vm/GKjqgesqY:nqM3/m0e5R4p9bnXiX1PvFYJJGovMQj7 | ||
Network IP location
Signature (16cnts)
| Level | Description |
|---|---|
| warning | File has been identified by 24 AntiVirus engines on VirusTotal as malicious |
| warning | Generates some ICMP traffic |
| watch | Expresses interest in specific running processes |
| watch | The process powershell.exe wrote an executable file to disk |
| notice | Allocates read-write-execute memory (usually to unpack itself) |
| notice | Checks for the Locally Unique Identifier on the system for a suspicious privilege |
| notice | Creates a shortcut to an executable file |
| notice | Creates a suspicious process |
| notice | Executes one or more WMI queries |
| notice | Searches running processes potentially to identify processes for sandbox evasion |
| info | Checks amount of memory in system |
| info | Checks if process is being debugged by a debugger |
| info | Collects information to fingerprint the system (MachineGuid |
| info | Command line console output was observed |
| info | Queries for the computername |
| info | Uses Windows APIs to generate a cryptographic key |
Rules (5cnts)
| Level | Name | Description | Collection |
|---|---|---|---|
| warning | Generic_Malware_Zero | Generic Malware | binaries (download) |
| watch | Antivirus | Contains references to security software | binaries (download) |
| info | IsPE64 | (no description) | binaries (upload) |
| info | PE_Header_Zero | PE File Signature | binaries (upload) |
| info | PowerShell | PowerShell script | scripts |
PE API
IAT(Import Address Table) Library
KERNEL32.dll
0x1400e64c4 AddVectoredExceptionHandler
0x1400e64cc CloseHandle
0x1400e64d4 CreateEventA
0x1400e64dc CreateProcessA
0x1400e64e4 CreateSemaphoreA
0x1400e64ec CreateToolhelp32Snapshot
0x1400e64f4 DeleteCriticalSection
0x1400e64fc DuplicateHandle
0x1400e6504 EnterCriticalSection
0x1400e650c FormatMessageA
0x1400e6514 GetCurrentProcess
0x1400e651c GetCurrentProcessId
0x1400e6524 GetCurrentThread
0x1400e652c GetCurrentThreadId
0x1400e6534 GetHandleInformation
0x1400e653c GetLastError
0x1400e6544 GetModuleHandleW
0x1400e654c GetProcAddress
0x1400e6554 GetProcessAffinityMask
0x1400e655c GetProcessHeap
0x1400e6564 GetSystemTimeAsFileTime
0x1400e656c GetThreadContext
0x1400e6574 GetThreadPriority
0x1400e657c GetTickCount64
0x1400e6584 HeapAlloc
0x1400e658c InitializeCriticalSection
0x1400e6594 InitializeProcThreadAttributeList
0x1400e659c IsDBCSLeadByteEx
0x1400e65a4 IsDebuggerPresent
0x1400e65ac LeaveCriticalSection
0x1400e65b4 LoadLibraryW
0x1400e65bc LocalFree
0x1400e65c4 MultiByteToWideChar
0x1400e65cc OpenProcess
0x1400e65d4 OutputDebugStringA
0x1400e65dc Process32First
0x1400e65e4 Process32Next
0x1400e65ec RaiseException
0x1400e65f4 ReleaseSemaphore
0x1400e65fc RemoveVectoredExceptionHandler
0x1400e6604 ResetEvent
0x1400e660c ResumeThread
0x1400e6614 RtlCaptureContext
0x1400e661c RtlLookupFunctionEntry
0x1400e6624 RtlUnwindEx
0x1400e662c RtlVirtualUnwind
0x1400e6634 SetEvent
0x1400e663c SetLastError
0x1400e6644 SetProcessAffinityMask
0x1400e664c SetThreadContext
0x1400e6654 SetThreadPriority
0x1400e665c SetUnhandledExceptionFilter
0x1400e6664 Sleep
0x1400e666c SuspendThread
0x1400e6674 TlsAlloc
0x1400e667c TlsGetValue
0x1400e6684 TlsSetValue
0x1400e668c TryEnterCriticalSection
0x1400e6694 UpdateProcThreadAttribute
0x1400e669c VirtualProtect
0x1400e66a4 VirtualQuery
0x1400e66ac WaitForMultipleObjects
0x1400e66b4 WaitForSingleObject
0x1400e66bc WideCharToMultiByte
msvcrt.dll
0x1400e66cc __C_specific_handler
0x1400e66d4 ___lc_codepage_func
0x1400e66dc ___mb_cur_max_func
0x1400e66e4 __getmainargs
0x1400e66ec __initenv
0x1400e66f4 __iob_func
0x1400e66fc __set_app_type
0x1400e6704 __setusermatherr
0x1400e670c _amsg_exit
0x1400e6714 _beginthreadex
0x1400e671c _cexit
0x1400e6724 _close
0x1400e672c _commode
0x1400e6734 _endthreadex
0x1400e673c _errno
0x1400e6744 _filelengthi64
0x1400e674c _fileno
0x1400e6754 _fileno
0x1400e675c _fdopen
0x1400e6764 _fmode
0x1400e676c _fstat64
0x1400e6774 _initterm
0x1400e677c _lseeki64
0x1400e6784 _onexit
0x1400e678c _read
0x1400e6794 _setjmp
0x1400e679c _strdup
0x1400e67a4 _stricmp
0x1400e67ac _ultoa
0x1400e67b4 _wfopen
0x1400e67bc abort
0x1400e67c4 calloc
0x1400e67cc exit
0x1400e67d4 fclose
0x1400e67dc fflush
0x1400e67e4 fgetpos
0x1400e67ec fopen
0x1400e67f4 fprintf
0x1400e67fc fputc
0x1400e6804 fputs
0x1400e680c free
0x1400e6814 fread
0x1400e681c fwrite
0x1400e6824 fsetpos
0x1400e682c getc
0x1400e6834 getwc
0x1400e683c iswctype
0x1400e6844 _write
0x1400e684c localeconv
0x1400e6854 longjmp
0x1400e685c malloc
0x1400e6864 memchr
0x1400e686c memcmp
0x1400e6874 memcpy
0x1400e687c memmove
0x1400e6884 memset
0x1400e688c printf
0x1400e6894 putc
0x1400e689c putwc
0x1400e68a4 realloc
0x1400e68ac setlocale
0x1400e68b4 setvbuf
0x1400e68bc signal
0x1400e68c4 strcmp
0x1400e68cc strcoll
0x1400e68d4 strerror
0x1400e68dc strftime
0x1400e68e4 strlen
0x1400e68ec strncmp
0x1400e68f4 strxfrm
0x1400e68fc towlower
0x1400e6904 ungetwc
0x1400e690c towupper
0x1400e6914 ungetc
0x1400e691c vfprintf
0x1400e6924 wcscoll
0x1400e692c wcsftime
0x1400e6934 wcslen
0x1400e693c wcsxfrm
EAT(Export Address Table) is none
KERNEL32.dll
0x1400e64c4 AddVectoredExceptionHandler
0x1400e64cc CloseHandle
0x1400e64d4 CreateEventA
0x1400e64dc CreateProcessA
0x1400e64e4 CreateSemaphoreA
0x1400e64ec CreateToolhelp32Snapshot
0x1400e64f4 DeleteCriticalSection
0x1400e64fc DuplicateHandle
0x1400e6504 EnterCriticalSection
0x1400e650c FormatMessageA
0x1400e6514 GetCurrentProcess
0x1400e651c GetCurrentProcessId
0x1400e6524 GetCurrentThread
0x1400e652c GetCurrentThreadId
0x1400e6534 GetHandleInformation
0x1400e653c GetLastError
0x1400e6544 GetModuleHandleW
0x1400e654c GetProcAddress
0x1400e6554 GetProcessAffinityMask
0x1400e655c GetProcessHeap
0x1400e6564 GetSystemTimeAsFileTime
0x1400e656c GetThreadContext
0x1400e6574 GetThreadPriority
0x1400e657c GetTickCount64
0x1400e6584 HeapAlloc
0x1400e658c InitializeCriticalSection
0x1400e6594 InitializeProcThreadAttributeList
0x1400e659c IsDBCSLeadByteEx
0x1400e65a4 IsDebuggerPresent
0x1400e65ac LeaveCriticalSection
0x1400e65b4 LoadLibraryW
0x1400e65bc LocalFree
0x1400e65c4 MultiByteToWideChar
0x1400e65cc OpenProcess
0x1400e65d4 OutputDebugStringA
0x1400e65dc Process32First
0x1400e65e4 Process32Next
0x1400e65ec RaiseException
0x1400e65f4 ReleaseSemaphore
0x1400e65fc RemoveVectoredExceptionHandler
0x1400e6604 ResetEvent
0x1400e660c ResumeThread
0x1400e6614 RtlCaptureContext
0x1400e661c RtlLookupFunctionEntry
0x1400e6624 RtlUnwindEx
0x1400e662c RtlVirtualUnwind
0x1400e6634 SetEvent
0x1400e663c SetLastError
0x1400e6644 SetProcessAffinityMask
0x1400e664c SetThreadContext
0x1400e6654 SetThreadPriority
0x1400e665c SetUnhandledExceptionFilter
0x1400e6664 Sleep
0x1400e666c SuspendThread
0x1400e6674 TlsAlloc
0x1400e667c TlsGetValue
0x1400e6684 TlsSetValue
0x1400e668c TryEnterCriticalSection
0x1400e6694 UpdateProcThreadAttribute
0x1400e669c VirtualProtect
0x1400e66a4 VirtualQuery
0x1400e66ac WaitForMultipleObjects
0x1400e66b4 WaitForSingleObject
0x1400e66bc WideCharToMultiByte
msvcrt.dll
0x1400e66cc __C_specific_handler
0x1400e66d4 ___lc_codepage_func
0x1400e66dc ___mb_cur_max_func
0x1400e66e4 __getmainargs
0x1400e66ec __initenv
0x1400e66f4 __iob_func
0x1400e66fc __set_app_type
0x1400e6704 __setusermatherr
0x1400e670c _amsg_exit
0x1400e6714 _beginthreadex
0x1400e671c _cexit
0x1400e6724 _close
0x1400e672c _commode
0x1400e6734 _endthreadex
0x1400e673c _errno
0x1400e6744 _filelengthi64
0x1400e674c _fileno
0x1400e6754 _fileno
0x1400e675c _fdopen
0x1400e6764 _fmode
0x1400e676c _fstat64
0x1400e6774 _initterm
0x1400e677c _lseeki64
0x1400e6784 _onexit
0x1400e678c _read
0x1400e6794 _setjmp
0x1400e679c _strdup
0x1400e67a4 _stricmp
0x1400e67ac _ultoa
0x1400e67b4 _wfopen
0x1400e67bc abort
0x1400e67c4 calloc
0x1400e67cc exit
0x1400e67d4 fclose
0x1400e67dc fflush
0x1400e67e4 fgetpos
0x1400e67ec fopen
0x1400e67f4 fprintf
0x1400e67fc fputc
0x1400e6804 fputs
0x1400e680c free
0x1400e6814 fread
0x1400e681c fwrite
0x1400e6824 fsetpos
0x1400e682c getc
0x1400e6834 getwc
0x1400e683c iswctype
0x1400e6844 _write
0x1400e684c localeconv
0x1400e6854 longjmp
0x1400e685c malloc
0x1400e6864 memchr
0x1400e686c memcmp
0x1400e6874 memcpy
0x1400e687c memmove
0x1400e6884 memset
0x1400e688c printf
0x1400e6894 putc
0x1400e689c putwc
0x1400e68a4 realloc
0x1400e68ac setlocale
0x1400e68b4 setvbuf
0x1400e68bc signal
0x1400e68c4 strcmp
0x1400e68cc strcoll
0x1400e68d4 strerror
0x1400e68dc strftime
0x1400e68e4 strlen
0x1400e68ec strncmp
0x1400e68f4 strxfrm
0x1400e68fc towlower
0x1400e6904 ungetwc
0x1400e690c towupper
0x1400e6914 ungetc
0x1400e691c vfprintf
0x1400e6924 wcscoll
0x1400e692c wcsftime
0x1400e6934 wcslen
0x1400e693c wcsxfrm
EAT(Export Address Table) is none